Oracle Database Listener Security Guide

INTRODUCTION

The Oracle Database Listener is the database server software component that manages the network traffic between the Oracle Database and the client. The Oracle Database Listener listens on a specific network port (default 1521) and forwards network connections to the Database. The Listener is comprised of two binaries: (1) tnslsnr which is the Listener itself and (2) the Listener Control Utility (lsnrctl) which is used to administer the Listener on the server or remotely.

Through our security assessments, Integrigy has consistently identified poor Oracle Database Listener security as a significant security risk. The majority of Oracle Database Listeners are not properly secured as recommended by Oracle and security experts. Fortunately in Oracle 10g, the default Listener configuration is much more secure.

The information contained in this paper is not new, is not obscure. It may not be well known to many Oracle DBAs, but is well known to security experts and hackers. This paper will outline the vulnerabilities in the Oracle Database Listener and provide recommendations for properly securing it. Providing minimal security for the Oracle Database Listener is simple and should be done for all Oracle installations – development, test and production.


WHY PROTECT THE LISTENER

One of the most misunderstood security issues with the Oracle Database is the security of the Listener. Generally, DBAs are not aware that an attacker can easily remotely manage the Listener and potentially effectively take control of the server. The default installation of the Oracle Database prior to Oracle 10g, allows any client to remotely administer a Listener using the “lsnrctl” program or by issuing commands directly to the Listener. Oracle 10.1 and above by default restrict all remote administration of the Listener, unless security is explicitly turned off in the configuration file.

The following are some examples of possible attacks against an Oracle 8i/9i Listener which has a default configuration and is not properly secured. These attacks can be used to exploit a database which even has the most recent Oracle Critical Patch Update security patches applied.

Download Oracle Database Listener Security Guide



Related PDF Manuals Guide:
Hackproofing Oracle Application Server
Oracle HTML DB Installation Guide
Underground Oracle and PHP Manual
Oracle Database Upgrade Guide
Oracle Installation Guide on Windows NT/2000
Guide to Auditing in Oracle Applications
Oracle TimesTen In-Memory Database SQL Reference Guide
Oracle Workflow Developer’s Guide


« Oracle/SQL Tutorial
Guide to Auditing in Oracle Applications »

Leave a Reply